ERROR: Linux route add command failed: external program exited with error status: 1

[radu]

Hi guys,

I have a configuration that allowed me to route all traffic through VPN for about a year, but after a dd-wrt update I just couldn't make it work anymore, was failing to add route. Unortunately had a TP-Link when it worked, did a restore to original firmware and they blocked custom firmware; ow new client router also says "Linux route add command failed" but " external program exited with error status: 1" instead of status: 2, as TP-Link did:

State
Client: CONNECTED SUCCESS
Local Address: 10.1.1.2
Remote Address: 10.1.1.2

Status
VPN Client Stats
TUN/TAP read bytes 17171
TUN/TAP write bytes 0
TCP/UDP read bytes 3735
TCP/UDP write bytes 23022
Auth read bytes 64
pre-compress bytes 7914
post-compress bytes 7988
pre-decompress bytes 0
post-decompress bytes 0

Log
Clientlog:
20161025 20:20:17 I OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 18 2016
20161025 20:20:17 I library versions: OpenSSL 1.0.2j 26 Sep 2016 LZO 2.09
20161025 20:20:17 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20161025 20:20:17 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20161025 20:20:17 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20161025 20:20:17 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20161025 20:20:17 Socket Buffers: R=[87380->87380] S=[16384->16384]
20161025 20:20:17 I Attempting to establish TCP connection with [AF_INET]82.xx.xx.48:443 [nonblock]
20161025 20:20:18 I TCP connection established with [AF_INET]82.xx.xx.48:443
20161025 20:20:18 I TCPv4_CLIENT link local: [undef]
20161025 20:20:18 I TCPv4_CLIENT link remote: [AF_INET]82.xx.xx.48:443
20161025 20:20:18 TLS: Initial packet from [AF_INET]82.xx.xx.48:443 sid=7e483803 e26adfea
20161025 20:20:18 VERIFY OK: depth=1 C=xx ST=xx L=xxx O=Radu OU=HomeServer CN=HomeServer name=HomeServer emailAddress=xx@xx.com
20161025 20:20:18 VERIFY OK: depth=0 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=NightHawk name=NightHawk emailAddress=xx@oxx.com
20161025 20:20:18 NOTE: --mute triggered...
20161025 20:20:18 1 variation(s) on previous 3 message(s) suppressed by --mute
20161025 20:20:18 W WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
20161025 20:20:18 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20161025 20:20:18 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20161025 20:20:18 W WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
20161025 20:20:18 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20161025 20:20:18 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 1024 bit RSA
20161025 20:20:18 I [NightHawk] Peer Connection Initiated with [AF_INET]82.xx.xx.48:443
20161025 20:20:20 SENT CONTROL [NightHawk]: 'PUSH_REQUEST' (status=1)
20161025 20:20:20 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.1 255.255.255.0 redirect-gateway def1 dhcp-option DNS 193.xx.xx.1 route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.1.1.2 255.255.255.0'
20161025 20:20:20 OPTIONS IMPORT: timers and/or timeouts modified
20161025 20:20:20 NOTE: --mute triggered...
20161025 20:20:20 5 variation(s) on previous 3 message(s) suppressed by --mute
20161025 20:20:20 I TUN/TAP device tun1 opened
20161025 20:20:20 TUN/TAP TX queue length set to 100
20161025 20:20:20 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20161025 20:20:20 I /sbin/ifconfig tun1 10.1.1.2 netmask 255.255.255.0 mtu 1500 broadcast 10.1.1.255
20161025 20:20:20 /sbin/route add -net 82.79.46.48 netmask 255.255.255.255 gw 192.168.0.1
20161025 20:20:20 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
20161025 20:20:20 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
20161025 20:20:20 /sbin/route add -net 192.168.1.1 netmask 255.255.255.0 gw 10.1.1.1
20161025 20:20:20 W ERROR: Linux route add command failed: external program exited with error status: 1
20161025 20:20:20 I Initialization Sequence Completed
20161025 20:20:22 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161025 20:20:22 D MANAGEMENT: CMD 'state'
20161025 20:20:22 MANAGEMENT: Client disconnected

This would be the server log:
20161025 20:20:17 I TCP connection established with [AF_INET]95.xx.xx.1:60182
20161025 20:20:18 95.91.250.1:60182 TLS: Initial packet from [AF_INET]95.xx.xx.1:60182 sid=ca05dfea e5bb0e4e
20161025 20:20:18 95.91.250.1:60182 VERIFY OK: depth=1 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=HomeServer name=HomeServer emailAddress=xx@xx.com
20161025 20:20:18 95.91.250.1:60182 VERIFY OK: depth=0 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=Archer name=Archer emailAddress=xx@xx.com
20161025 20:20:18 95.91.250.1:60182 NOTE: --mute triggered...
20161025 20:20:18 95.91.250.1:60182 5 variation(s) on previous 3 message(s) suppressed by --mute
20161025 20:20:18 I 95.91.250.1:60182 [Archer] Peer Connection Initiated with [AF_INET]95.xx.xx.1:60182
20161025 20:20:18 I Archer/95.xx.xx.1:60182 MULTI_sva: pool returned IPv4=10.1.1.2 IPv6=(Not enabled)
20161025 20:20:18 Archer/95.xx.xx.1:60182 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_044afbfeb0c46a9ca6edba6296966941.tmp
20161025 20:20:18 Archer/95.xx.xx.1:60182 MULTI: Learn: 10.1.1.2 -> Archer/95.xx.xx.1:60182
20161025 20:20:18 Archer/95.xx.xx.1:60182 MULTI: primary virtual IP for Archer/95.xx.xx.1:60182: 10.1.1.2
20161025 20:20:20 Archer/95.xx.xx.1:60182 PUSH: Received control message: 'PUSH_REQUEST'
20161025 20:20:20 I Archer/95.xx.xx.1:60182 send_push_reply(): safe_cap=940
20161025 20:20:20 Archer/95.xx.xx.1:60182 SENT CONTROL [Archer]: 'PUSH_REPLY route 192.168.1.1 255.255.255.0 redirect-gateway def1 dhcp-option DNS 193.xx.xx.1 route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.1.1.2 255.255.255.0' (status=1)

Here are the configs (firewall and IP v6 off):

SERVER CONFIG (Home Location router); LAN IP: 192.168.1.1

Start Type: System
Config as: Server
Server Mode: Router (TUN)
Network: 10.1.1.0
Netmask: 255.255.255.0
Port: 443
Tunnel Protocol: TCP
Encryptions Cipher: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Disable

Additional Config:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS [provider dns]"
push "dhcp-option DNS [2nd provider dns]"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp-server
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem



CLIENT CONFIG (roaming location router); LAN IP: 192.168.2.1

Server IP/Name: [ddns link]
Port: 443
Tunnel Device: TUN
Tunnel Protocol: TCP
Encryption Cipher: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Disable


any ideas?

[TinCanTech]

You have not posted you correct server config.

[radu]

Thanks for your quick reply, TinCanTech.

I don't have a config files, I am using both server and client on dd-wrt routers and I used the graphic interface to set it up; by config I meant the values I used in this interface.

[radu]

Here is the server config; however, please note that I didn't do any changes to the server, the only change that I did was to the client. And the new client is using the same configuration as the one that worked without any problems for almost a year (and meanwhile changed the cipher and algorithm on both server and client):

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 443
proto tcp-server
cipher aes-512-cbc
auth sha512
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.1.1.0 255.255.255.0
dev tun2
tun-ipv6
push "route 192.168.1.1 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 193.xx.xx.1"
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp-server
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem


So the tunnel connects, but there is no routing. Same "W ERROR: Linux route add command failed: external program exited with error status: 1"

[TinCanTech]

This is wrong

push "route 192.168.1.1 255.255.255.0"

should be

Code: Select all

push "route 192.168.1.0 255.255.255.0"

[radu]

not necessarily, since the start IP is 1.100; but I'll change that, wait a sec...nope, not working, still no routing.

[TinCanTech]

not necessarily

It is wrong under any circumstances .. hence the error.

still no routing

Please see:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

Also,

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

• You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24

[radu]

Indeed, after correcting the .1 thing, no more error. However, I still cannot ping the server. Any ideas?
Here's the traceroute:

Interface List
9...00 27 10 20 6a 28 ......Intel(R) Centrino(R) Advanced-N 6200 AGN
1...........................Software Loopback Interface 1
2...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.101 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.2.0 255.255.255.0 On-link 192.168.2.101 311
192.168.2.101 255.255.255.255 On-link 192.168.2.101 311
192.168.2.255 255.255.255.255 On-link 192.168.2.101 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.2.101 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.2.101 311
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
2 331 ::/0 On-link
1 331 ::1/128 On-link
2 331 2001::/32 On-link
2 331 2001:0:5ef5:79fd:242b:73a9:a0a4:1452/128
On-link
9 311 fe80::/64 On-link
2 331 fe80::/64 On-link
2 331 fe80::242b:73a9:a0a4:1452/128
On-link
9 311 fe80::4550:e33f:4381:aa6f/128
On-link
1 331 ff00::/8 On-link
9 311 ff00::/8 On-link
2 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


any other ideas?

[TinCanTech]

Any ideas?

You have not posted you correct server config.

according to your own routing table ..

I suggest you start with this:
HOWTO: Request Help !

Post the correct details and do not keep fiddling ..

Otherwise, I am tuning you out

[radu]

farewell then! I will tune myself out, rather than being tuned by you.

[radu]

For other people with the same issue:

1. Don't use the 512 cipher, even if it exists in dd-wrt, openvpn doesn't support it
2. after changing MTU to auto, it just started working (MTU in dd-wrt Basic Setup that is, I guess it influences mtu-link in the openvpn client)
3. ignore ****heads like "justice" here